How do ransomware attacks infiltrate into an organization?

by
How do ransomware attacks infiltrate into an organization

Ransomware attacks have become an increasing threat to organizations of all sizes in recent years. These attacks involve malicious software that encrypts an organization’s files and demands a ransom payment in order to restore access. Understanding how ransomware infiltrates into an organization is crucial for cybersecurity professionals to defend against these threats.

What is ransomware?

Ransomware is a form of malicious software (malware) that encrypts an organization’s files and prevents access to important data and systems. The attackers demand a ransom payment, typically in cryptocurrency like Bitcoin, in exchange for decrypting the files. If the ransom is not paid, the organization risks permanently losing access to its data.

Some of the most common ransomware variants include:

  • CryptoLocker
  • CryptoWall
  • Locky
  • Ryuk
  • Conti
  • REvil

The ransom amounts demanded by attackers have increased dramatically in recent years, with average ransom payments now in the six figures. This makes ransomware a lucrative endeavor for cyber criminals.

How do ransomware attacks infiltrate organizations?

Ransomware uses a variety of attack vectors to infiltrate an organization’s network and deploy malicious payloads onto systems. Common attack vectors include:

Phishing emails

One of the most common methods ransomware uses to gain access is through phishing emails sent to employees. These emails are designed to appear legitimate, often impersonating known contacts or companies. They may contain malicious file attachments or links that download ransomware when opened or clicked on.

Exploiting vulnerabilities

Ransomware gangs are continuously scanning for and exploiting vulnerabilities in organizations’ internet-facing assets like remote desktop protocol (RDP) connections, virtual private networks (VPNs), and web applications. Once they gain access to an internet-facing system, they can move laterally within the network.

Third party access

Attackers may infiltrate networks by compromising the security of third parties like managed service providers (MSPs) and gaining access through them. There have been major ransomware incidents where MSPs were breached first and used to deploy ransomware onto their customers’ networks.

Remote desktop protocol (RDP)

Exposed RDP connections and remote working solutions have become a growing target for ransomware actors. Brute force attacks can gain access to RDP servers protected with weak passwords.

Drive-by downloads

Visiting compromised websites can lead to drive-by downloads of ransomware onto systems. This is more common on websites with poor security or ones serving malicious ads.

Software vulnerabilities

Ransomware often exploits known software vulnerabilities to execute its payload. Keeping software patched and up-to-date is key to closing these security holes.

Anatomy of a ransomware attack

Ransomware attacks tend to follow a similar pattern of stages from initial access to encrypting files on the victim’s systems:

  1. Initial access: Gained through an attack vector like phishing, exploits, third party access, RDP, etc.
  2. Reconnaissance: The attackers explore the network, find valuable data and map out the environment.
  3. Lateral movement: Attackers use tools like Mimikatz to steal credentials and move between systems.
  4. Payload deployment: Ransomware gets deployed onto many systems inside the network.
  5. Encryption: The ransomware encrypts files on systems across the network, preventing access.
  6. Ransom demand: The attackers reveal the ransom amount and payment deadline.

This multi-stage attack allows ransomware gangs to infiltrate deeply into networks and maximize the impact of encrypting critical files to extort the largest ransom payment possible.

How ransomware infects and spreads

Once inside a network, ransomware uses a variety of techniques to spread rapidly and deploy its file-encrypting payload onto as many systems as possible. These include:

Targeting network shares

Ransomware often scans for and encrypts network shares that may contain critical data. This helps it spread while also allowing attackers to maximize damage and extort a higher ransom.

Mimikatz

The malware Mimikatz is frequently used in ransomware attacks to steal Windows credentials from memory. These credentials allow the ransomware to spread to more systems.

Lateral movement

Attackers use stolen credentials and tools like PsExec to move laterally between systems and push ransomware out across the network.

Group policy objects (GPOs)

Ransomware may manipulate GPOs to force its payload onto systems attached to the domain.

Living off the land binaries (LOLBins)

LOLBins are legitimate system tools misused by malware. Ransomware uses LOLBins like PowerShell and Windows Management Instrumentation (WMI) to infect systems.

Which systems are most at risk?

While ransomware can infect any system, attackers tend to prioritize infecting systems that maximize damage and extortion potential. Some of the systems most at risk include:

  • Domain controllers: Encrypting these can bring down Active Directory and isolate systems.
  • File servers: Mass encrypting shared company files provides leverage for large ransom demands.
  • Database servers: Databases contain critical business information attackers can hold hostage.
  • Email servers: Encrypted email hampers communication and operational efficiency.
  • Backup servers: Encrypted backups remove the ability to recover encrypted files.

Systems that serve vital functions or contain sensitive data are prime targets for ransomware encryption.

How is a ransom demand made?

Once files across a network are encrypted, the ransomware deploys its ransom demand via various methods:

  • A text file ransom note is placed onto desktops and servers with payment instructions.
  • The computer lock screens are changed with ransom payment information.
  • A ransom note is shown when users try accessing encrypted files.
  • The attackers contact the organization directly to make the ransom demand.

The ransom notes contain information on how to pay the ransom, usually via cryptocurrency like Bitcoin. There are also threats and deadlines indicating consequences if the ransom is not promptly paid.

What are the consequences of ransomware attacks?

The impacts of a ransomware attack can be severe and crippling for organizations. Consequences include:

  • Denial of access to critical data and systems
  • Revenue and productivity losses from downtime
  • Costs associated with system and data recovery
  • Reputational damage and loss of customer trust
  • Regulatory fines or legal action for data breaches

In addition to the ransom demand itself, which can run into the millions, these downstream impacts make ransomware extremely costly. Cybersecurity firm Emsisoft estimates the global cost of ransomware may have exceeded $20 billion in 2021 alone.

Should ransom demands be paid?

One of the most complex decisions an organization faces when hit with ransomware is whether or not to pay the ransom demand. There are compelling arguments on both sides:

Reasons to pay the ransom

  • It may be the only way to regain access to encrypted data
  • The cost of the ransom may be less than downtime and recovery costs
  • Paying the ransom avoids reputational damage of a major incident

Reasons not to pay the ransom

  • No guarantee files will be decrypted after paying
  • Paying encourages more ransomware attacks
  • The ransom payment may exceed downtime and recovery costs
  • It violates laws prohibiting payment to sanctioned entities

There are merits to both perspectives. The right approach depends on each organization’s unique situation.

Steps to recover from a ransomware attack

If ransomware succeeds in encrypting systems, organizations should take the following steps to recover operations:

  1. Isolate and contain the malware to prevent further spread
  2. Assess the extent of infections across systems and data
  3. Determine if backups are available to restore encrypted files
  4. Rebuild systems from scratch that cannot be restored from backup
  5. Install patches and address vulnerabilities that allowed the attack
  6. Require password resets across the organization to prevent reinfection
  7. Resume business operations and monitor for new signs of compromise

With preparation and planning, organizations can effectively recover from ransomware attacks without paying the ransom. But restoring systems and data without backups can be extremely challenging and time-consuming.

Best practices for ransomware defense

Defending against the threat of ransomware comes down to cybersecurity best practices focused on prevention, early detection, and minimizing business impacts. Key best practices include:

  • Training employees to identify and report phishing emails
  • Keeping all software up-to-date with the latest patches
  • Using strong, unique passwords for all accounts
  • Enforcing the principle of least privilege for permissions
  • Segmenting networks to limit lateral movement
  • Deploying endpoint detection and response (EDR) tools
  • Maintaining layered backups offline and offsite
  • Regularly testing incident response and recovery plans

No single solution will fully protect against ransomware. But a defense-in-depth approach addresses the full attack lifecycle to stop ransomware at any point.

The role of human error

While technical vulnerabilities enable ransomware to infiltrate networks, human error often plays an equally large role. Some common examples of human error contributing to ransomware attacks include:

  • An employee clicks a malicious link in a phishing email
  • Weak passwords like “Password123” allow brute force access
  • An IT admin fails to patch a known exploit
  • Outdated backups fail to protect against recent infections

Ongoing security awareness training, enforcing strong passwords, and access controls are vital to address the human element in ransomware risk.

When should law enforcement get involved?

Notifying law enforcement and cybersecurity authorities can be beneficial when ransomware hits organizations. Reasons to involve authorities include:

  • The attack may violate laws prohibiting payments to sanctioned entities
  • Threat intelligence can support tracing and attributing the attack
  • It documents the incident to support potential legal or insurance claims
  • Law enforcement can help recover ransoms proven to be derived from illegal activity

Seeking assistance from law enforcement provides organizations with additional support and resources to manage the ransomware incident.

The future of ransomware

Ransomware unfortunately shows no signs of disappearing and will likely continue evolving as a cyber threat. Some predictions for the future of ransomware attacks include:

  • Ransom demands getting larger, exceeding millions of dollars
  • Attacks increasingly targeting critical infrastructure sectors
  • Emergence of ransomware-as-a-service lowering barriers to entry
  • Extortion going beyond just data encryption

As ransomware becomes more sophisticated, organizations will need to invest heavily in cybersecurity to manage the risk it represents.

Conclusion

Ransomware represents a serious threat to organizations given its ability to cause data loss, downtime, and costly business impacts. Understanding how ransomware infiltrates networks, spreads, and encrypts systems is essential for security teams to defend against these attacks.

By focusing on security best practices around prevention, detection, mitigation, and recovery, organizations can build resilience against the ever-evolving threat of ransomware. But due to heavy involvement of human error, organizations must also invest in comprehensive training to address the human element in ransomware risk.

Bolstering organizational vigilance, cybersecurity maturity, and incident preparedness provides the best safeguards against the crippling damage of ransomware.